Fleet Open Source Device Management Software OS Command Injection Vulnerability in Software Installer Pipeline

A vulnerability exists in Fleet's software installer pipeline prior to version 4.81.0, allowing a crafted software package to execute arbitrary commands as root on macOS and Linux, or as SYSTEM on Windows, when an uninstall is triggered. This issue arises because metadata extracted from uploaded software packages is not properly sanitized before being used to generate uninstall scripts. As a result, a specially crafted package could introduce malicious commands that are executed during the uninstallation process on managed endpoints.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on managed endpoints, with elevated privileges depending on the operating system.

Remediation

Users can upgrade to Fleet version 4.81.1 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, administrators should avoid uploading software packages from untrusted sources and can manually inspect and edit the automatically generated uninstall scripts before deployment.